Protect Your Ports with a Reverse Proxy

In a previous article, I discussed Apache Tomcat, which is the ideal way to run
Java applications from your server. I explained that you can run those
apps from Tomcat's default 8080 port, or you can configure Tomcat to use
port 80. But, what if you want to run a traditional Web server
and host
Java apps on port 80? The answer is to run a reverse proxy.

The only assumption I make here is that you have a Web-based application
running on a port other than port 80. This can be a Tomcat app, like I
discussed in my last article, or it can be any Web application that has
its interface via the Web (such as Transmission, Sick Beard and so on). The other
scenario I cover here is running a Web app from a second server, even if
it's on port 80, but you want it to be accessed from your central Web
server. (This is particularly useful if you have only one static IP to
use for hosting.)

The way reverse proxying works, at least with the Apache Web server, is
that every application is configured as a virtual host. Just like you can
host multiple Web sites from a single server using virtual hosting, you
also can host separate Web apps as virtual hosts from that same
server. It's
not terribly difficult to configure, but it's very useful in practice. First
things first. On your server, you have the Web server installed
(Figure 1). You also have a Web application on port 8080 (Figure 2).
Along with the working Apache Web server, you need to make sure virtual
hosting (by name) is enabled.

Figure 1. I have Apache installed, and it's hosting a very simple page.
on port 80.

Figure 2. I have a Web application running on port 8080 on the server
located at 192.168.1.11.

Enabling Name-Based Virtual Hosts

Enabling name-based virtual hosting on Apache is extremely common,
and it's very simple to do. Depending on what distribution you're using,
the "proper" location for enabling name-based virtual hosting may
differ. The nice thing about Apache, however, is that generally as long
as the directive is specified somewhere in the configurations, Apache
will honor it.

My local test server is running Ubuntu. In order to determine where the
"proper" place to enable name-based virtual hosting is, I simply went to
the /etc/apache2 directory and executed:

grep NameVirtualHost *

That command searches for the NameVirtualHost
directive, and it returned this:

root@server:/etc/apache2# grep NameVirtualHost *
ports.conf:NameVirtualHost *:80
ports.conf: # If you add NameVirtualHost *:443 here,
# you will also have to change

Those results tell me that the NameVirtualHost directive is specified
in the /etc/apache2/ports.conf file. (Note that grep will return
only the lines that
contain the search term, which is why it shows those two
out-of-context lines above. The important thing is the filename
ports.conf, which is what I was looking for.) Again, with Apache, it generally
doesn't matter where you specify directives, but I like to stick with
the standards of the particular distribution I'm using, if only
for the sake of future administrators.

To enable name-based virtual hosting, you simply uncomment:

NameVirtualHost *:80

from the file, and save it. If you can't find a file that contains such
a directive commented out, just add the line to your apache.conf or
httpd.conf file. Then you need to specify a VirtualHost directive for
the virtual host you want to create. This process is the same whether
you're making a traditional virtual host or a reverse proxy virtual host.

The Design The Lamborghini Veneno brings the aerodynamic efficiency of a racing prototype to the road. Every detail of its form pursues a clear function Off-road Vehicle Work Lights exceptional dynamics, optimum downforce with minimal drag and perfect cooling of the high-performance engine.

Good post Shawn. I have used Squid in the past as a reverse proxy but your method is simpler, and better if your needs are simple and have Apache installed already. Thanks!

BTW, how about designating a small number of readers as moderators to have the power to remove comment spam from the site? I'd volunteer to do it. It would be less work to delete the spam afterwards than to review it before it got posted (even through the latter method would be more effective).